FFmpeg security fixes December 2015
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ffmpeg (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
FFmpeg 2.5.9 fixing a number of crashes and other potentially security relevant issues (including CVE-2015-6761, CVE-2015-8216, CVE-2015-8219, CVE-2015-8363, CVE-2015-8364 and CVE-2015-8365) was released.
From the upstream Changelog:
version 2.5.9
- avcodec/hevc: Check max ctb addresses for WPP
- avcodec/vp3: ensure header is parsed successfully before tables
- avcodec/
- avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int
- swscale/utils: Fix for runtime error: left shift of negative value -1
- avcodec/hevc: Fix integer overflow of entry_point_offset
- avcodec/
- avcodec/
- avcodec/
- avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows
- avcodec/wmaprodec: Fix overflow of cutoff
- avformat/smacker: fix integer overflow with pts_inc
- avcodec/vp3: Fix "runtime error: left shift of negative value"
- mpegencts: Fix overflow in cbr mode period calculations
- avutil/timecode: Fix fps check
- avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows
- avcodec/apedec: Check length in long_filter_
- avcodec/vp3: always set pix_fmt in theora_
- avcodec/
- avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd
- avutil/integer: Fix av_mod_i() with negative dividend
- avformat/dump: Fix integer overflow in av_dump_format()
- avcodec/utils: Clear dimensions in ff_get_buffer() on failure
- avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()
- avcodec/vp3: Clear context on reinitialization failure
- avcodec/hevc: allocate entries unconditionally
- avcodec/hevc_cabac: Fix multiple integer overflows
- avcodec/
- avcodec/
- avcodec/hevc: Check entry_point_offsets
- avcodec/cabac: Check initial cabac decoder state
- avcodec/
- avcodec/ffv1dec: Clear quant_table_count if its invalid
- avcodec/ffv1dec: Print an error if the quant table count is invalid
- doc/filters/
- avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized
- avcodec/vp8: Do not use num_coeff_
- rtmpcrypt: Do the xtea decryption in little endian mode
- avformat/
- avformat/utils: Do not init parser if probing is unfinished
- avcodec/
- avcodec/
- avcodec/jpeg2000: Check comp coords to be within the supported size
- avcodec/jpeg2000: Use av_image_
- avcodec/wmaprodec: Check for overread in decode_packet()
- avcodec/smacker: Check that the data size is a multiple of a sample vector
- avcodec/takdec: Skip last p2 sample (which is unused)
- avcodec/dxtory: Fix input size check in dxtory_
- avcodec/dxtory: Fix input size check in dxtory_
- avcodec/
- avcodec/dpx: Move need_align to act per line
- avcodec/flashsv: Check size before updating it
- avcodec/ivi: Check image dimensions
- avcodec/utils: Better check for channels in av_get_
- avcodec/
- avcodec/
- avcodec/
- avcodec/
- avformat/xmv: Discard remainder of packet on error
- avformat/xmv: factor return check out of if/else
- libavutil/
- avcodec/ffv1dec: Check for 0 quant tables
- avcodec/mjpegdec: Reinitialize IDCT on BPP changes
- avcodec/mjpegdec: Check index in ljpeg_decode_
- avutil/file_open: avoid file handle inheritance on Windows
- opusdec: Don't run vector_fmul_scalar on zero length arrays
- avcodec/ffv1: Initialize vlc_state on allocation
- avcodec/ffv1dec: update progress in case of broken pointer chains
- avcodec/ffv1dec: Clear slice coordinates if they are invalid or slice header decoding fails for other reasons
- avformat/httpauth: Add space after commas in HTTP/RTSP auth header
- avcodec/x86/sbrdsp: Fix using uninitialized upper 32bit of noise
- avcodec/ffv1dec: Fix off by 1 error in quant_table_count check
- avcodec/ffv1dec: Explicitly check read_quant_table() return value
- avcodec/rangecoder: Check e
- lavf/webvttenc: Require webvtt file to contain exactly one WebVTT stream.
- avcodec/mjpegdec: Fix decoding RGBA RCT LJPEG
- avfilter/
- avcodec/g2meet: Also clear tile dimensions on header_fail
- avcodec/g2meet: Fix potential overflow in tile dimensions check
- avcodec/svq1dec: Check init_get_bits8() for failure
- avcodec/tta: Check init_get_bits8() for failure
- swresample/
- avformat/mov: Fix integer overflow in FFABS
- avutil/common: Add FFNABS()
- avutil/common: Document FFABS() corner case
- avformat/dump: Fix integer overflow in aspect ratio calculation
- avcodec/
- avcodec/mpeg12dec: Set dimensions in mpeg1_decode_
- avcodec/libopusenc: Fix infinite loop on flushing after 0 input
- avformat/hevc: Check num_long_
- avformat/hevc: Fix parsing errors
- ffmpeg: Use correct codec_id for av_parser_change() check
- ffmpeg: Check av_parser_change() for failure
- ffmpeg: Check for RAWVIDEO and do not relay only on AVFMT_RAWPICTURE
- ffmpeg: check avpicture_fill() return value
- avformat/mux: Update sidedata in ff_write_chained()
- avcodec/flashsvenc: Correct max dimension in error message
- avcodec/svq1enc: Check dimensions
- avcodec/dcaenc: clear bitstream end
- libavcodec/
- mxfdec: check edit_rate also for physical_track
- mpegvideo: clear overread in clear_context
- dvdsubdec: validate offset2 similar to offset1
- avcodec/takdec: Use memove, avoid undefined memcpy() use
- jvdec: avoid unsigned overflow in comparison
- avcodec/mpeg12dec: Do not call show_bits() with invalid bits
- riffdec: prevent negative bit rate
- Merge commit 'd80811c94e0680
- imc: use correct position for flcoeffs2 calculation
- wavpack: limit extra_bits to 32 and use get_bits_long
- wavpack: use get_bits_long to read up to 32 bits
- nutdec: check maxpos in read_sm_data before returning success
- s302m: fix arithmetic exception
- avcodec/s302m: Only set the sample rate when some data is output
- vp9: add support for resolution changes in inter frames.
- alsdec: limit avctx->
- vp9: avoid infinite loop with broken files
- videodsp: don't overread edges in vfix3 emu_edge.
- avcodec/
- avformat/oggenc: Check segments_count for headers too
- avformat/avidec: Workaround broken initial frame
- hevc: properly handle no_rasl_output_flag when removing pictures from the DPB
- hevc: fix wpp threading deadlock.
- avcodec/ffv1: separate slice_count from max_slice_count
- lavf/img2dec: Fix memory leak
- avcodec/mp3: fix skipping zeros
- avformat/srtdec: make sure we probe a number
- avformat/srtdec: more lenient first line probing
- doc: mention libavcodec can decode Opus natively
- MAINTAINERS: Remove myself as leader
information type: | Private Security → Public Security |
Changed in ffmpeg (Ubuntu): | |
importance: | Undecided → Medium |
Attached is a debdiff. (git repo is at [1])
Testing performed (in a vivid chroot):
* build including test suite works
* installation works
* upgrade works
* no regressions in the autopkgtests from 2.8.3-1
1: https:/ /anonscm. debian. org/cgit/ collab- maint/ffmpeg. git/log/ ?h=vivid